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Formal, mathematical methods are most useful when applied early in the design and implementa- 
tion of a software system— that, at least, is the familiar refrain. I will report on a modest effort to 
apply formal methods at the earliest possible stage, namely, in the design of the Ada 95 program- 
ming language itself. This talk is an "experience report” that provides brief case studies illustrat- 
ing the kinds of problems we worked on, how we approached them, and the extent (if any) to which 
the results proved useful. It also derives some lessons and suggestions for those undertaking future 
projects of this kind 

Ada 95 is the first revision of the standard for the Ada programming language. The revision began 
in 1988, when the Ada Joint Programming Office first asked the Ada Board to recommend a plan 
for revising the Ada standard. The first step in the revision was to solicit criticisms of Ada 83. A 
set of requirements for the new language standard, based on those criticisms, was published in 
1990. A small design team, the Mapping Revision Team (MRT), became exclusively responsible for 
revising the language standard to satisfy those requirements. The MRT, from Intermetrics, is led 
by S. Tucker Taft. 

The work of the MRT was regularly subject to independent review and criticism by a committee of 
Distinguished Reviewers and by several advisory teams — for example, by two User/Implementor 
teams, each consisting of an industrial user (attempting to make significant use of the new lan- 
guage on a realistic application) and a compiler vendor (undertaking, experimentally, to modify its 
current implementation in order to provide the necessary new features). One novel decision estab- 
lished the Language Precision Team (LPT), which investigated language proposals from a mathe- 
matical point of view. 

The LPT applied formal mathematical analysis to help improve the design of Ada 95 (e.g., by clari- 
fying the language proposals) and to help promote its acceptance (e.g., by identifying a verifiable 
subset that would meet the needs of safety-critical applications). The first LPT project, which ran 
from the fall of 1990 until the end of 1992, produced studies of severed language issues: optimiza- 
tion, sharing and storage, tasking and protected records, overload resolution, the floating point 
model, distribution, program errors, and object-oriented programming. The second LPT project, in 
1994, formally modeled the dynamic semantics of a large part of the (almost) fined lemguage defini- 
tion, looking especially for interactions between language features. 
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Applies to one expression at one point in program (environment is 
not a state variable) 





Using the formal model of overload resolution 1 f Results of work on overload resolution 
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end alert_system; 
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